drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-4280) Kerberos Authentication
Date Wed, 02 Nov 2016 23:50:58 GMT

    [ https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15630943#comment-15630943
] 

ASF GitHub Bot commented on DRILL-4280:
---------------------------------------

Github user sudheeshkatkam commented on a diff in the pull request:

    https://github.com/apache/drill/pull/578#discussion_r86267130
  
    --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java
---
    @@ -308,33 +312,57 @@ public BitToUserHandshake getHandshakeResponse(UserToBitHandshake
inbound) throw
             connection.setHandshake(inbound);
     
             try {
    +          // TODO(SUDHEESH): MUST FIX THIS VERSION CHECK FIRST BEFORE THE CHECK BELOW
               if (inbound.getRpcVersion() != UserRpcConfig.RPC_VERSION) {
                 final String errMsg = String.format("Invalid rpc version. Expected %d, actual
%d.",
                     UserRpcConfig.RPC_VERSION, inbound.getRpcVersion());
     
                 return handleFailure(respBuilder, HandshakeStatus.RPC_VERSION_MISMATCH, errMsg,
null);
               }
     
    -          if (authenticator != null) {
    -            try {
    -              String password = "";
    -              final UserProperties props = inbound.getProperties();
    -              for (int i = 0; i < props.getPropertiesCount(); i++) {
    -                Property prop = props.getProperties(i);
    -                if (UserSession.PASSWORD.equalsIgnoreCase(prop.getKey())) {
    -                  password = prop.getValue();
    -                  break;
    +          connection.setHandshake(inbound);
    +
    +          if (authFactory != null) {
    +            if (inbound.getRpcVersion() <= 5) { // for backward compatibility <=
1.8
    +              final String userName = inbound.getCredentials().getUserName();
    +              if (logger.isTraceEnabled()) {
    +                logger.trace("User {} on connection {} is using an older client (Drill
version <= 1.8).",
    +                    userName, connection.getRemoteAddress());
    +              }
    +              try {
    +                String password = "";
    +                final UserProperties props = inbound.getProperties();
    +                for (int i = 0; i < props.getPropertiesCount(); i++) {
    +                  Property prop = props.getProperties(i);
    +                  if (UserSession.PASSWORD.equalsIgnoreCase(prop.getKey())) {
    +                    password = prop.getValue();
    +                    break;
    +                  }
    +                }
    +                final PlainMechanism plainMechanism = authFactory.getPlainMechanism();
    +                if (plainMechanism == null) {
    +                  throw new UserAuthenticationException("The server no longer supports
username/password" +
    +                      " based authentication. Please talk to your system administrator.");
                     }
    +                plainMechanism.getAuthenticator().authenticate(userName, password);
    +                connection.changeHandlerTo(handler);
    +                connection.finalizeSession(userName);
    +                respBuilder.setStatus(HandshakeStatus.SUCCESS);
    --- End diff --
    
    Successful auth is logged elsewhere.


> Kerberos Authentication
> -----------------------
>
>                 Key: DRILL-4280
>                 URL: https://issues.apache.org/jira/browse/DRILL-4280
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Keys Botzum
>            Assignee: Chunhui Shi
>              Labels: security
>
> Drill should support Kerberos based authentication from clients. This means that both
the ODBC and JDBC drivers as well as the web/REST interfaces should support inbound Kerberos.
For Web this would most likely be SPNEGO while for ODBC and JDBC this will be more generic
Kerberos.
> Since Hive and much of Hadoop supports Kerberos there is a potential for a lot of reuse
of ideas if not implementation.
> Note that this is related to but not the same as https://issues.apache.org/jira/browse/DRILL-3584




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message